20 years of pax
play

20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About - PowerPoint PPT Presentation

Mar 29, 2023 •390 likes •803 views

About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland

  1. About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX

  2. About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland Kernel 20 Years of PaX

  3. About Past Present Future Introduction What is PaX? ◮ Host Intrusion Prevention System (HIPS) ◮ Focus: exploits for memory corruption bugs ◮ Bugs vs. exploits vs. exploit techniques ◮ Threat model: arbitrary read/write access to memory ◮ Local/remote and userland/kernel ◮ Linux 2.2.x-2.4.x-2.6.x-3.x (2000-2012) ◮ Developed by the PaX Team :) ◮ grsecurity by Brad Spengler (spender) 20 Years of PaX

  4. About Past Present Future Introduction PaX Features ◮ Runtime code generation control (non-executable pages) ◮ Address Space Layout Randomization (ASLR) ◮ Kernel self-protection ◮ Various infrastructure changes for supporting all the above 20 Years of PaX

  5. About Past Present Future Design Concepts Vulnerability Roadmap Where Things Can Go Wrong ◮ Idea/Design ◮ Education, talent, modeling, art vs. science ◮ Development ◮ Deployment/Configuration/Operation/Maintenance ◮ Procedures (manuals, standards, etc) ◮ Logging/monitoring/analysis 20 Years of PaX

  6. About Past Present Future Design Concepts How to Improve: Development ◮ Education ◮ Tools/Toolchain (analysis, runtime checks) ◮ Testing/Exploiting (fuzzing) ◮ Exploit-resistant runtime environment (PaX :) ◮ Instead of finding the exploitable bugs, make them non-exploitable 20 Years of PaX

  7. About Past Present Future Design Concepts Exploit Techniques ◮ Focus: exploits against memory corruption bugs ◮ Execute injected code (shellcode) ◮ Execute existing code out-of-(intended)-order (return-to-libc, ROP/JOP) ◮ Execute existing code in-(intended)-order (data-only attacks) 20 Years of PaX

  8. About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland Kernel 20 Years of PaX

  9. About Past Present Future Userland Overview ◮ Non-executable page support on i386 (PAGEEXEC/SEGMEXEC) ◮ Runtime code generation control (MPROTECT) ◮ Address Space Layout Randomization (ASLR, RANDEXEC) ◮ Compatibility (per-binary feature control, text relocations, trampoline emulation) 20 Years of PaX

  10. About Past Present Future Userland PAGEEXEC/SEGMEXEC/MPROTECT ◮ PAGEEXEC: paging based simulation of non-executable pages on i386 (in 2000, pre-NX days) ◮ SEGMEXEC: segmentation based simulation of non-executable pages on i386 (in 2002) ◮ MPROTECT: runtime code generation control (in 2000) ◮ NX-bit is in wide use nowadays (BSDs, iOS, Linux, Windows/DEP, etc) 20 Years of PaX

  11. About Past Present Future Userland ASLR ◮ Introduced in July 2001 as a stopgap measure (not how it turned out :) ◮ Idea: artificially inflated entropy in memory addresses (both code and data) ◮ Reduced exploit reliability ◮ In wide use nowadays (BSDs, iOS, Linux, Windows, etc) 20 Years of PaX

  12. About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland Kernel 20 Years of PaX

  13. About Past Present Future Kernel Self-Protection Overview ◮ Non-executable kernel pages (KERNEXEC) ◮ Read-only kernel data (KERNEXEC, CONSTIFY) ◮ Userland/kernel address space separation (UDEREF) ◮ Restricted userland-kernel copying (USERCOPY) ◮ Userland/kernel copying race reduction ◮ Instant free memory sanitization (SANITIZE) 20 Years of PaX

  14. About Past Present Future Kernel Self-Protection KERNEXEC ◮ Non-executable pages for the kernel’s address space ◮ Executable userland pages must not be executable from kernel mode ◮ i386: code segment excludes the entire userland address space ◮ amd64: compiler plugin or UDEREF ◮ Supervisory Mode Execution Protection ( CR4.SMEP ) since Ivy Bridge (in mainline linux already) ◮ Page table cleanup: read-write vs. read-execute regions (kmaps) ◮ Special cases: boot/BIOS, ACPI, EFI, PNP, v8086 mode memory, vsyscall (amd64) 20 Years of PaX

  15. About Past Present Future Kernel Self-Protection Constification ◮ Creates read-only data mappings ◮ Moves data into read-only mappings ( .rodata , .data..read_only ) ◮ Patches (descriptor tables, top level page tables, etc) ◮ Compiler plugin (ops structures) 20 Years of PaX

  16. About Past Present Future Kernel Self-Protection UDEREF ◮ Prevents unintended userland access by kernel code ◮ Disadvantage of the shared user/kernel address space ◮ i386: based on segmentation ◮ data segment excludes the entire userland address space ◮ amd64: based on paging ◮ remaps userland page tables as non-executable while in kernel mode ◮ needs per-cpu page global directory (PGD) 20 Years of PaX

  17. About Past Present Future Kernel Self-Protection USERCOPY ◮ Bounds checking for copying from kernel memory to userland (info leak) or vice versa (buffer overflow) ◮ spender’s idea: ksize can determine the object’s size from the object’s address ◮ Originally heap (slab) buffers only ◮ Limited stack buffer support (see Future section) ◮ Disables SLUB merging 20 Years of PaX

  18. About Past Present Future Kernel Self-Protection Userland/Kernel Copying Races ◮ Userland/kernel copying can (be made to) sleep ◮ During that sleep userland memory can change ◮ Time-Of-Check-To-Time-Of-Use race (TOCTTOU) ◮ Unbounded userland/kernel copying based exploits become controllable ◮ Basically prefaults the userland range ◮ Reduces but does not eliminate race window ◮ Detects controlled unbounded copies before the actual copy 20 Years of PaX

  19. About Past Present Future Kernel Self-Protection SANITIZE ◮ Reduces potential info leaks from kernel memory to userland ◮ Freed memory is cleared immediately ◮ Low-level page allocator, not slab layer ◮ Works on whole pages, not individual heap objects ◮ Kernel stacks on task death ◮ Anonymous userland mappings on munmap ◮ Anti-forensics vs. privacy 20 Years of PaX

  20. About Past Present Future Toolchain Support Overview ◮ gcc plugins (gcc 4.5-4.7) ◮ Kernel stack leak reduction (STACKLEAK) ◮ Function pointer structure constification (CONSTIFY) ◮ User/kernel address space separation for code only (KERNEXEC) ◮ Size parameter overflow detection&prevention (SIZE_OVERFLOW) 20 Years of PaX

  21. About Past Present Future Toolchain Support GCC plugins ◮ Loadable module system introduced in gcc 4.5 ◮ Loaded early right after command line parsing ◮ No well defined API, all public symbols available for plugin use ◮ Typical (intended :) use: new IPA/GIMPLE/RTL passes 20 Years of PaX

  22. About Past Present Future Toolchain Support STACKLEAK plugin ◮ First plugin :) ◮ Reduces kernel stack information leaks ◮ Before a kernel/userland transition the used kernel stack part is cleared ◮ Stack depth is recorded in functions having a big enough stack frame ◮ Sideeffect: finds all (potentially exploitable :) alloca calls ◮ Special paths for ptrace/auditing ◮ Problems: considerable overhead, races, leaks from a single syscall still possible 20 Years of PaX

  23. About Past Present Future Toolchain Support CONSTIFY plugin ◮ Automatic constification of ops structures (200+ in linux) ◮ Structures with function pointer members only ◮ Structures explicitly marked with a do_const attribute ◮ no_const attribute for special cases ◮ Local variables not allowed 20 Years of PaX

  24. About Past Present Future Toolchain Support KERNEXEC plugin ◮ Prevents executing userland code on amd64 ◮ i386 achieves this already via segmentation ◮ Sets most significant bit in all function pointers ◮ Userland addresses become non-canonical ones ◮ GIMPLE pass: C function pointers ◮ RTL pass: return values ◮ Special cases: assembly source, asm() ◮ Two methods: bts vs. or (reserves %r10 for bitmask) ◮ Compatibility vs. performance 20 Years of PaX

  25. About Past Present Future Toolchain Support SIZE_OVERFLOW plugin ◮ Detects integer overflows in expressions used as a size parameter: kmalloc(count * sizeof...) ◮ Written by Emese Révfy ◮ Proper implementation of spender’s old idea ◮ Initial set of functions/parameters marked by the size_overflow function attribute ◮ Walks use-def chains and duplicates statements using a double-wide integer type ◮ SImode/DImode vs. DImode/TImode ◮ Special cases: asm(), function return values, constants (intentional overflows), etc ◮ More in the blog Real Soon Now: http://forums.grsecurity.net/viewforum.php?f=7 20 Years of PaX

  26. About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland Kernel 20 Years of PaX

  27. About Past Present Future Userland Overview ◮ Control Flow Enforcement ◮ Size overflow detection & prevention ◮ Kernel-assisted use-after-free detection 20 Years of PaX

  28. About Past Present Future Userland Control Flow Enforcement ◮ Compiler plugin ◮ (No) binary-only code support ◮ Assembly source instrumentation ◮ Runtime code generation support (Just-In-Time compiler engines) 20 Years of PaX

Recommend

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t years Figure 2. Precipitation anomalies during 11 years of the dust bowl (1930-1940) Station Set-up Montana Mesonet January 2018 4 36 ranchers

533 views • 36 slides
CLASS OF 2021 Four years of English Three years of social studies Three years of

CLASS OF 2021 Four years of English Three years of social studies Three years of

CLASS OF 2021 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

1.04k views • 72 slides
CLASS OF 2023 Four years of English Three years of social studies Three years of

CLASS OF 2023 Four years of English Three years of social studies Three years of

CLASS OF 2023 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

915 views • 67 slides
CLASS OF 2020 Four years of English Three years of social studies Three years of

CLASS OF 2020 Four years of English Three years of social studies Three years of

CLASS OF 2020 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

1.25k views • 88 slides
Who Cares About the Impact on Performance Memory Hierarchy? Suppose a processor executes at

Who Cares About the Impact on Performance Memory Hierarchy? Suppose a processor executes at

8/20/08 Technology Trends Computer System Architecture Capacity Speed (latency) Logic: 2x in 3 years 2x in 3 years DRAM: 4x in 3 years 2x in 10 years Memory Part I Disk: 4x in 3 years 2x in 10 years DRAM Chalermek

290 views • 5 slides
Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10

Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10

Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10 years Tom Taber 10 years Gary Keeth 15 years Betty Murray 15 years Bob Walker 15 years Jackie James 25 years Carol Matthews 25 years Program

396 views • 22 slides
Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12

Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12

Now You Got a Search Engine MICES 14. June 2017 Peter Rieger Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12 years search Dropped 3 courses of study Freelancer for 12 years CEO for 8 years

487 views • 20 slides
2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years

2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years

2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years when possible when bored when forced - 3 teams @ - 17 codebases - 43K LOC Jul 13 Jan 14 Jul 14 Jan 15 Why Functional Programming?

1.95k views • 160 slides
ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years

ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years

ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years as Executive Director Mom to rescues Roxie & Charlie Vegetarian home chef Lover of naps, folk art and happy hours Show

132 views • 11 slides
Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan

Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan

Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan Upton -10 years Michelle Bosschart -16 years Debbie Kundrat - 20 years Georgine Premo - 20 years Marian Vanden Bosch - 20 years Meeting Agenda 1)

112 views • 10 slides
Migrate Python from 2.X to 3.X WHO AM I? C++ & PYTHON DEVELOPER 6,5 years in 20,5 years in

Migrate Python from 2.X to 3.X WHO AM I? C++ & PYTHON DEVELOPER 6,5 years in 20,5 years in

Migrate Python from 2.X to 3.X WHO AM I? C++ & PYTHON DEVELOPER 6,5 years in 20,5 years in CAD&Numeric C++ simulations PHILIPPE BOULANGER 3 years in 19,5 years in embedded Python programming 11,5 years in finance

879 views • 51 slides
www.agilegurgaon.com Who am I? 1. 20+ years of experience , 18+ in IT and 2 years in

www.agilegurgaon.com Who am I? 1. 20+ years of experience , 18+ in IT and 2 years in

www.agilegurgaon.com Who am I? 1. 20+ years of experience , 18+ in IT and 2 years in manufacturing 2. 6 years of experience in Agile Transformation 3. Clients worked - HP Product Division, Symantec, SKF, Healthways and Philips 4. Currently

643 views • 21 slides
Art Committee Kickoff 2018 Years of Service Recognition Debra Symons - 10 years Pathamar Park -

Art Committee Kickoff 2018 Years of Service Recognition Debra Symons - 10 years Pathamar Park -

Art Committee Kickoff 2018 Years of Service Recognition Debra Symons - 10 years Pathamar Park - 11 years Elizabeth Holman - 15 years Marian Vanden Bosch - 20 years Lillian Balliet - 39 years Meeting Agenda 1) Jane Fernald & Judy Webster,

303 views • 12 slides
Hounslow Highways Hounslow Highways 25 years and beyond First 5 Years 25 years and beyond

Hounslow Highways Hounslow Highways 25 years and beyond First 5 Years 25 years and beyond

Hounslow Highways Hounslow Highways 25 years and beyond First 5 Years 25 years and beyond www.hounslowhighways.org Hounslow PFI Update July 2017 INTRODUCTION What is included in the PFI? Core Investment Period Progress

456 views • 22 slides
BUILDING ON LIBBITCOIN L I S B O N 2 0 1 8 Libbitcoin Developer (5 years) E R I C VO S K U

BUILDING ON LIBBITCOIN L I S B O N 2 0 1 8 Libbitcoin Developer (5 years) E R I C VO S K U

BUILDING ON LIBBITCOIN L I S B O N 2 0 1 8 Libbitcoin Developer (5 years) E R I C VO S K U I L Entrepreneur (20 years) eric@voskuil.org Investor/Advisor (12 years) https://github.com/evoskuil Microsoft Architect (3 years)

479 views • 17 slides
Years Down Years To Go A WALK A W A L K A R O U N D Q U E E N AROUND E L I Z

Years Down Years To Go A WALK A W A L K A R O U N D Q U E E N AROUND E L I Z

Years Down Years To Go A WALK A W A L K A R O U N D Q U E E N AROUND E L I Z A B E T H O L Y M P I C P A R K QUEEN ELIZABETH OLYMPIC PARK LEYTON Clapton Park Forest Gate Homerton Maryland HA HACK HA

424 views • 15 slides
A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years

A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years

A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years The Indiana Masonic Home was established to care for widows and orphaned children of Masons in 1915. Through the years, the community grew and demand

402 views • 25 slides
Page 1 Example: Branch Stall Impact Example: Calculating CPI bottom up Run benchmark and collect

Page 1 Example: Branch Stall Impact Example: Calculating CPI bottom up Run benchmark and collect

Review, #1 CS252 Technology is changing rapidly: Graduate Computer Architecture Capacity Speed Lecture 2 Logic 2x in 3 years 2x in 3 years DRAM 4x in 3 years 2x in 10 years Review of Instruction Sets, Pipelines, and Disk 4x

496 views • 13 slides
WELCOME CLASS OF 2024 8 TH GRADE OPEN HOUSE MINIMUM GRADUATION REQUIREMENTS Four years of

WELCOME CLASS OF 2024 8 TH GRADE OPEN HOUSE MINIMUM GRADUATION REQUIREMENTS Four years of

WELCOME CLASS OF 2024 8 TH GRADE OPEN HOUSE MINIMUM GRADUATION REQUIREMENTS Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of

869 views • 66 slides
Jacobs Life: In Egypt 17 Years In Assyria (Laban) 20 Years In Canaan 110 Years Life

Jacobs Life: In Egypt 17 Years In Assyria (Laban) 20 Years In Canaan 110 Years Life

And Jacob lived in the land of Egypt seventeen years. So the length of Jacobs life was one hundred and forty-seven years. Gen 47:28 Jacobs Life: In Egypt 17 Years In Assyria (Laban) 20 Years In Canaan 110 Years Life of

350 views • 34 slides
Training in the UK All trainees now have 5-6 years undergraduate; 2 years postgraduate prior

Training in the UK All trainees now have 5-6 years undergraduate; 2 years postgraduate prior

3/7/2015 Training in the UK All trainees now have 5-6 years undergraduate; 2 years postgraduate prior to full registration Surgical training then 6-8 years (+/- 1-3 years Training and practice of breast MD/PhD research) surgery:

275 views • 6 slides
F ROM THE C ARTEL TO A F IRST -T IME U SER The Challenges of Drug Prosecution in an Opioid

F ROM THE C ARTEL TO A F IRST -T IME U SER The Challenges of Drug Prosecution in an Opioid

F ROM THE C ARTEL TO A F IRST -T IME U SER The Challenges of Drug Prosecution in an Opioid Epidemic INDIANA CRIMINAL CODE - 2014 LEVEL MINIMUM ADVISORY MAXIMUM Murder 45 years 55 years 65 years Level 1 20 years 30 years 40 years

841 views • 55 slides
Data Clustering: Data Clustering: 50 Years Beyond K means 50 Years Beyond K means 50 Years

Data Clustering: Data Clustering: 50 Years Beyond K means 50 Years Beyond K means 50 Years

Data Clustering: Data Clustering: 50 Years Beyond K means 50 Years Beyond K means 50 Years Beyond K-means 50 Years Beyond K-means Anil K. Jain Department of Computer Science Michigan State University King-Sun Fu King-Sun Fu King-Sun

1.03k views • 39 slides
The Hundred Years War Target Describe the causes of the 100 years war, the advantages and

The Hundred Years War Target Describe the causes of the 100 years war, the advantages and

The Hundred Years War Target Describe the causes of the 100 years war, the advantages and disadvantages, and the 3 phases of the war. Long Term Causes English wanted to regain lost lands from the French Economic rivalry (Flanders

617 views • 16 slides

More recommend